Today a post from Magneto Bold Too IT support. A little public service announcement about how to conquer arsehats that come in, make themselves at home and shit all over your metaphorical carpet.

Yesterday morning I got a message from one of my Facebook lovelies saying that my blog was coming up as a suspected malware site. To me everything looked fine, except that my Dashboard was all screwy but I just put that down to NOT UPDATING WORDPRESS YET (*slaps head and then bashes it on the keyboard for good measure*). I hollered out to my Twitter peeps asking if anyone else had any problems and everyone was all ‘nup, looks good to me!’ and were probably secretly thinking I was trying to up my stats or ad hits or something…

Anyway, one person was all ‘you have been hacked girl, check your source code’.

Oh. My. Freaking. GOD!

HUNDREDS of links to unsavoury {unlike this here wholesome blog *snort*} sites were at the end of the source code.

*insert freak out of EPIC proportions and caffeine IV drip*

After TWELVE HOURS of work and many tears of frustration {and episodes of The Big Bang Theory and then the Matrix while waiting for downloads} we were rid of those uninvited visitors.

*CAVEAT #2″ Don’t log into your WordPress admin area. Because the site’s been compromised, don’t trust the WordPress built in scripts. We’re doing a lot of this by hand, until we’re pretty sure we’re safe to login and modify stuff automatically.

FTP Client (FireFTP Plugin for Firefox will do. Use the Terminal or CLI if you’re brave and crazy)
Your sites FTP location, username and password. If you don’t know, talk to your admin, pass this job onto the person who set your blog up, or find a friendly 13 year old l33t h4ckz0r.
A Text Editor (Notepad (Win), TextEdit (Mac), whatever came with your OS).
*RECOMMENDATION* Firefox 3.5 (or greater) and the NoScript plugin. Freakin awe … wait for it … some.

Procedure:

0. Backup

You do this regularly, right? Right. Me too. Every 3rd leap year. *sigh*

a) On your local computer, create a folder with a name that reflects what it is. E.g: BackupBlog-Nov-2009
b) Open your FTP client.
c) Enter your site details – site, username & password.
d) Somewhere in the preferences, you will have to turn on the ability to see hidden files (FYI files that start with a ‘.’ (period, dot, full stop …) are hidden by FTP sites and most operating systems. We want to see them so we can fix them).
e) Copy everything from your site to that folder you created, so that it looks identical – the same file structure, same folder names, same every freakin’ thing. Compare and check you have it all.
f) Vow to yourself that you will do this regularly.
g) Really mean it this time.

… Right. Welcome back. To reiterate, we’re looking for files named:
.htaccess (these are invisible (like that cloak in the Harry Potter movie …), so set your FTP client to see hidden files)
index.php in root folder
wp-config.php in root folder
index.php in wp-admin folder
index.php in wp-contents\yourtheme\ folder
default-filters.php in wp-includes folder
any file starting with ‘PE’ , followed by gibberish numbers and ending with ‘.php’

We can’t just delete them – we need to download (to your computer), examine, edit and save back (to your site) if necessary. Some we will delete. And we will enjoy doing it too.

I looked and found copies of these files in many folders. Go through each carefully and meticulously.

When you find one:

i) Download it to your computer (I created a folder on my desktop just for this purpose).
ii) Make a copy of the file and rename it. eg: I renamed index.php to index-bad.php (this is so if you fark it up badly, you can always go back to the copy and compare).
iii) Open the file with your text editor.
iv) Examine, then edit and save or delete depending on what’s in there:

a) If a file (any ‘index.php’ or ‘wp-content.php’) contains something similar to this code:

delete from ‘RewriteEngine On’ to the last line in the block. Again, be careful, there may be ‘legitimate’ code in there with similar commands. This is in one big (steaming shitty) block, with a list of search engines and sites.

Remember – your ‘infection’ may not look identical to the text above. Use your common sense. It’s a list of search engines and sites.

Once you’ve cleaned it – save it back to your site.

If the .htaccess file contains *only* that pattern of code – you can nuke it! Yep, delete the son-of-a-bitch from your site. Pew Pew Pew. Take that – mothafarker!

Feels good, doesn’t it? This is a long campaign, you have to celebrate where you can …

c) any file starting with ‘PE’ , followed by gibberish numbers and ending with ‘.php’

Delete it. No farking around. Make ‘Pew Pew Pew’ noises. Have fun with it. You know you want to …

v) Check, check and check

If you know what you are doing, you can use geeky tools to search for the strings above in your backup to make sure you’ve missed nothing.

Now open your blog via its normal URL, and make sure it’s all working.

2. Update WordPress

Because your site’s been compromised, We didn’t trust the WordPress built in scripts. But if you’ve done the job right, you should be fine logging into your blogs admin pages.

When I first did this, the pages looked freaky, and Firefox and/or its ‘NoScript’ plugin was telling me that I was being blocked from a nasty site. So I went back and found more infected files that I missed.

When you catch them all (‘Pokemon!’), it should look fine.

Now, find the update links and do it.

FYI: I was brave and stupid and updated wordpress manually (do a google). I don’t want to do it again. Ever. Thank googleness for the backup. I thought I broke it (and feared for my life!).10 mins of sweat induced keyboarding, and we was back in business.

I had to replace cleaned config files from said backup to the site – again, google is your friend.

3. Change Passwords

WordPress and FTP.

a) WordPress – you can do yourself in the admin pages.
b) FTP – Gooooooooooooooogle. Some sites, you can do it, others – only the system administrator can. By nice to your sysadmin. What they lack in social skills, they make up for in memory. Looooooooooooooong memories. Longer than Gooooooooooooooogle. Freakin’ Looooooooooooooooooooooooooooong.

So, that’s it. Good luck then, and off you go blogging.

Just update WordPress and backup more often. ‘K? Thx.

~~~~~~~~~~~~~~~~~~~~~~~~

Many thanks to NathanelB on Twitter for the links to the freaking AWESOME websites, Joyce for the heads up on the malware thingy, Sue for handholding and advice and ALL my Twitter and Facebook peeps for keeping me sane and sending hugs.

Great to see that you were able to fix the mess that some piece of crap created. Just reading the above post had me confused and left with a migraine, so i can only send sympathies, hugs and a bucket load of coffee and chocolate to you and your awesomeness.
.-= Nicole Beltane´s last blog ..November 15 2009 – More Christmas Decorations =-.

I have been contemplating starting a blog.. I’m what I think you bloggers call a lurker.. I very rarely comment but I am an avid reader.. I think the above post has just decided for me.. This shit is all a little too complicated and I think I’ll go back to lurking..

Excellent explanation of how to fix the problem – please ignore my FB message asking you how you did it 🙂

I use the plugin wp-backup to send me a copy of my database, by email, weekly and make sure I have a copy of my current template on my hardisk. Hostgator does a weekly backup too so if all else fails I can pay them $15 to restore their backup for me but last time I had a nasty they did not charge me to reinstall my own backup.

I understood maybe 5% of all that, so I think I’ll stick with non-blogging, thanksverymuch, and regular backing up of files to my external hard drive. I have many, many family photos scanned in that I couldn’t bear to lose, including family tree stuff dating back to 1834. I had a trojan infection earlier this year and emailed a local computer doc who helped me clean it up. I didn’t have to do anything like what you’ve detailed above, just downloaded a program he recommended and set it working. Now it does a full scan once a week. So far, so good.

You have got to be kidding…this makes you even more awesome because I would just close my blog and start a new one and say screw it to the history…I mean, I can’t even download a song..glad you got your site back to where you want it to be…WHEW!
.-= Hotmamamia´s last blog ..Thanksgiving Trifle; easy as pie =-.